Fake Apple Pay: How Not To Be Tricked By Hackers' Malicious Phishing Pages

A mobile security firm has discovered a way hackers can mimic Apple Pay to trick you into giving them your credit card information. Above, the image shows an actual Apple Pay screen (left) compared to a fake phishing page (right). Note how the fake does not fill the entire screen. Photo: Wandera

Apple Pay will soon be available at more than 1 million stores across the U.S. and in the United Kingdom next month, but if you decide to use the payment system proceed with caution -- security experts recently found an easy way for hackers to create fake Apple Pay forms designed to trick you into giving them your credit card information.

This type of attack is a form of phishing in which hackers create fake versions of a legitimate service to entice users to enter their information online and send it directly to their databases. For example, hackers sometimes create Web pages designed to look like the Gmail login or other online accounts. The information often ends up for sale on the Dark Web.

With Apple Pay phishing, the process is more elaborate -- and potentially more damaging. By using an inexpensive routing device, hackers can create public Wi-Fi networks designed to lure in users. Once you're iPhone is latched onto the network, hackers can send what is called a captive portal, which are the screens users typically see when they try to log on at a Starbucks or at a hotel. In this scenario, the hackers design the portals to look like the Apple Pay page where you enter your credit card information.

You can see the difference between a real Apple Pay page and a phishing captive portal page in the image above, with the real page on the left.

Wandera, a firm that specializes in mobile enterprise cybersecurity, discovered the phishing tactic and has alerted Apple to it. The firm is hoping Apple will make changes to make it easier for iPhone users to spot fake Apple Pay pages. For example, Apple could show users their Apple ID, which is a bit of information only the user and Apple would be privy to.

For now, though, there are a couple of things you can do to make sure you aren't fooled into giving up your credit card information.

Only use Wi-Fi networks you trust. Everyone loves using free Wi-Fi to save data, but you should only log into networks you trust, like your own, your friends', your companies' or your favorite coffee shops after asking them for their networks' name. If you see an open Wi-Fi network that seems sketchy, it might be and you're probably better off skipping it.

Look for the signs. With Apple Pay, you should only have to fill out your credit card information when you enter in a new card. Apple doesn't ask you to do so multiple times, so if you've already done it and your card hasn't changed, there's no reason to enter it again. Additionally, the Apple Pay credit card page should take up the entire screen. If you get a page that looks like it with a big gray square at the top, it's probably a malicious captive portal, which you should ignore.